this (not russia) is hopefully the source of the ‘cyber-attack’

Police seize servers of Ukrainian software firm after cyber attack
Natalia Zinets, Pavel Polityuk, Reuters, Jul 4 2017

KIEV – Ukrainian police on Tuesday seized the servers of an accounting software firm suspected of spreading a malware virus which crippled computer systems at major companies around the world last week, a senior police official said. The head of Ukraine’s Cyber Police, Sergei Demedyuk, told Reuters the servers of MEDoc, Ukraine’s most popular accounting software, had been seized as part of an investigation into the attack. Though they are still trying to establish who was behind last week’s attack, Ukrainian intel boxtops and security firms have said some of the initial infections were spread via a malicious update issued by MEDoc, charges the company’s owners deny. Premium Service, which says it is an official dealer of MEDoc’s software, wrote a post on MEDoc’s Facebook page saying masked men were searching MEDoc’s offices and that the software firm’s servers and services were down. Cyber-Police spox Yulia Kvitko said investigative actions were continuing at MEDoc’s offices, adding that further comments would be made on Wednesday. The police move came after cyber-security investigators unearthed further evidence on Tuesday that the attack had been planned months in advance by highly-skilled hackers, who they said had inserted a vulnerability into the MEDoc progamme. Researchers at Slovakian security software firm ESET said they had found a “backdoor” written into some of MEDoc’s software updates, likely with access to the company’s source code, which allowed hackers to enter companies’ systems undetected. ESET senior malware researcher Anton Cherepanov said in a technical note:

We identified a very stealthy and cunning backdoor that was injected by attackers into one of MEDoc’s legitimate modules. It seems very unlikely that attackers could do this without access to MEDoc’s source code since the beginning of the year. The detailed preparation before the attack is testament to the fact that this was a thoroughly well-planned and well-executed operation of an advanced nature. At least three MEDoc updates were issued with the backdoor vulnerability. The first one was sent to clients on Apr 14.

Oleg Derevianko, board chairman at Ukrainian cyber-security firm ISSP, told Reuters in an interview at his office in Kiev:

An update issued by MEDoc in April delivered a virus to the company’s clients which instructed computers to download 350 MB of data from an unknown source on the internet. The virus then exported 35 MB of company data to the hackers. With this 35 MB you can exfiltrate anything: emails from all of the banks, user accounts, passwords, anything.

Little known outside Ukrainian accounting circles, MEDoc is used by around 80% of companies in Ukraine. The software allows its 400,000 clients to send and collaborate on financial documents between internal departments, as well as file them with the Ukrainian state tax service. Ukraine’s government said on Tuesday it would submit a draft law to parliament for the country’s tax deadline to be extended to Jul 15, and waive fines for companies who missed the previous Jun 13 cutoff because of the attack. PM Vladimir Groysman told a cabinet meeting:

We had program failures in connection to the cyber attack, which meant that businesses were unable to submit account reports on time.

Separately, the SBU said it had discussed cyber-defense with NATO boxtops and had received equipment from them to better combat future cyber-attacks. Ukraine is not in NATO but is seeking closer ties. On Saturday, Ukrainian intel boxtops accused Russian security services of being behind the attack, and cyber-security researchers linked it to a suspected Russian group who (supposedly) attacked the Ukrainian power grid in Dec 2016. A Kremlin spox dismissed charges of Russian involvement as “unfounded blanket accusations.” Derevianko said:

The hacker’s activity in April and reported access to MEDoc’s source code show that Ukraine’s computer networks had already been compromised and that the intruders were already operating inside them. It definitely tells us about the advanced capabilities of the adversaries. I don’t think any additional evidence is needed to attribute this to a nation-state attack.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s